Attorney Docket No.: 281486US90PCT 
Preliminary Amendment 

IN THE CLAIMS 
Please amend the claims as follows: 

1 . (Original) A relay apparatus for a terminal or a server on a private network that 
does not have an address on a global network to perform communication through the global 
network, comprising: 

a WAN interface unit which provides communication with the global network; 

a LAN interface unit which provides communication with the private network; 

an access control unit having means for controlling access from the global network 
to the private network in accordance with an access control rule which is established on a per 
sending device basis or on a per sending network basis; 

an address translation unit having: 

means for translating an address in accordance with an address translation rule 
established on a per sending device basis, in order to transferring information from a terminal 
on the global network to a terminal on the private network; and 

means for translating an address in accordance with an address translation rule 
established on a per sending device basis, in order to transferring information from a terminal 
on the private network to a terminal on the global network; and 

a database unit which records the access control rule and the address translation 

rule. 

2. (Original) The relay apparatus according to Claim 1, comprising: 

an authentication unit which performs authentication in response to a request for 
access permission sent from a terminal on the global network, wherein: 

the database unit further records user information used by the authentication unit 
to perform authentication; 

the access control unit further has: 
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means for adding an access control rule established on a per sending device basis 
or a per sending network basis to the database unit if the authentication succeeds; and 

means for deleting the added access control rule from the database unit when a 
predetermined criterion for ending communication is satisfied; and 

the address translation unit further has: 

means for adding an address translation rule established on a per sending device 
basis to the database unit if the authentication succeeds; and 

means for deleting the added address translation rule from the database unit when 
a predetermined criterion for ending communication is satisfied. 

3. (Original) The relay apparatus according to Claim 1, wherein: 
the access control unit further has: 

means for adding an access control rule established on a per sending device basis 
or on a per sending network basis to the database unit in response to a request from an 
authentication sever which performs authentication of a terminal on the global network; and 

means for deleting the added access control rule from the database unit when a 
predetermined criterion for ending communication is satisfied; and 

the address translation unit further has: 

means for adding an address translation rule established on a per sending device 
basis to the database unit in response to a request from the authentication server; and 

means for deleting the added address translation rule from the database unit when 
a predetermined criterion for ending communication is satisfied. 

4. (Original) An authentication server which permits access to the relay apparatus 
according to Claim 3, comprising: 

an interface unit which provides communication with a terminal on the global 
network and the relay apparatus; 



3 



Attorney Docket No.: 281486US90PCT 
Preliminary Amendment 

an authentication unit which performs authentication in response to a request for 

permission to access the relay apparatus from a terminal on the global network; 

a control unit having: 

means for requesting the relay apparatus to add an access control rule and an 
address translation rule for a packet from a terminal on the global network if authentication at 
the authentication unit succeeds; and 

means for requesting the relay apparatus to delete the added access control rule 
and address translation rule when a predetermined criterion for ending communication is 
satisfied; and 

a database unit which records information associating user information used by the 
authentication unit to perform authentication with an access control rule and address 
translation rule requested to be added. 

5. (Currently Amended) The relay apparatus according to any^ef Claim[[s]] 1 
[[to 3]], wherein: 

the access control unit further has: 

means for adding an access control rule established on a per sending device basis 
to the database unit in response to a request for initiating communication from a terminal on a 
private network; and 

means for deleting the added access control rule from the database unit when a 
predetermined criterion for ending communication is satisfied; and 

the address translation unit further has: 

means for adding an address translation rule established on a per sending device 
basis to the database unit in response to a request for initiating communication from a 
terminal on the private network; and 
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means for deleting the added address translation rule from the database unit when 

a predetermined criterion for ending communication is satisfied. 

6. (Original) An address translation apparatus for a terminal or a server on a 
private network that does not have an address on a global network to perform communication 
through the global network, comprising: 

a WAN interface unit which provides communication with the global network; 
a LAN interface unit which provides communication with the private network; 
an address translation unit having: 

means for translating an address in accordance with an address translation rule 
established on a per sending device basis, in order to transferring information from a terminal 
on the global network to a terminal on the private network; and 

means for translating an address in accordance with an address translation rule 
established on a per sending device basis, in order to transferring information from a terminal 
on the private network to a terminal on the global network; and 

a database unit for recording the address translation rules. 

7. (Original) The address translation apparatus according to Claim 6, wherein 
the address translation unit further has: 

means for adding an address translation rule established on a per sending device 
basis to the database unit in response to a request for initiating communication sent from a 
terminal on the global network or a terminal on a private network; and 

means for deleting the added address translation rule from the database unit when 
a predetermined criterion for ending communication is satisfied. 

8. (Original) The address translation apparatus according to Claim 7, comprising: 
an authentication unit which performs authentication in response to a request for 

initiating communication from a terminal on the global network, wherein: 
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the database unites further records user information used by the authentication unit 
to perform authentication; and 

the address translation unit adds the address translation rule to the database unit in 
response to a request for initiating communication from a terminal on the global network only 
if the authentication succeeds. 

9. (Original) The address translation apparatus according to Claim 7, wherein the 
address translation unit adds the address translation rule to the database unit in response to a 
request for initiating communication from a terminal on the global network only if an 
authentication server which performs authentication requests the addition. 

10. (Original) An authentication server which permits access to the address 
translation apparatus according to Claim 9, comprising: 

an interface unit which provides communication with a terminal on the global 
network and the address translation apparatus; 

an authentication unit which performs authentication in response to a request for 
permission to access the address translation apparatus from a terminal on the global network; 

a control unit having: 

means for requesting the address translation apparatus to add an address 
translation rule for a packet sent from a terminal on the global network if authentication at the 
authentication unit succeeds; and 

means for requesting the address translation apparatus to delete the added address 
translation rule when a predetermined criterion for ending communication is satisfied; and 

a database unit which records user information used by the authentication unit to 
perform authentication. 
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11. (Original) A firewall apparatus which allows a packet from a global network 
external to the firewall to pass through to a private network internal to the firewall apparatus 
if the packet meets an acceptance condition set in a database unit, comprising: 

a WAN interface unit which provides communication with the global network; 

a LAN interface unit which provides communication with the private network; 

an access control unit having means for controlling access from the global network 
to the private network in accordance with an access control rule established on a per sending 
device basis or on a per sending network basis; 

an authentication unit which performs authentication in response to a request for 
access permission from the global network; and 

a database unit which records the access control rule and user information used by 
the authentication unit to perform authentication. 

12. (Original) The firewall apparatus according to Claim 1 1, wherein: 
the access control unit further has means for adding an access control rule 

established on a per sending device basis or on a per sending network basis to the database 
unit if authentication at the authentication unit succeeds and an access control rule for a 
request for access permission from a device on the global network is not recorded in the 
database unit; and 

means for deleting the added access control rule from the database unit when a 
predetermined criterion for ending communication is satisfied. 

13. (Original) The firewall apparatus according to Claim 12, wherein the access 
control unit further has: 

means for, if a request for new access permission is provided from a device on the 
global network that is using an established secure session during the duration of the secure 
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session, sending notification seeking confirmation of the request to the device on the global 
network by using the secure session; and 

means for rejecting a new access regardless of the access control rule if denial of 
the request is returned from the device on the global network. 

14. (Currently Amended) The firewall apparatus according to aay-ef Claim[[s]] 
1 1 [[to 13]], wherein the access control unit further has: 

means for monitoring the status of communication; and 
means for notifying the device on the global network of an anomaly in 
communication if a predetermined criterion for communication anomaly is satisfied. 

15. (Original) The relay apparatus according to Claim 1, comprising: 

the access control rule and the address translation rule have a condition with the IP 
address of the sending device or the IP address of the sending network. 

16. (Original) The relay apparatus according to Claim 15, comprising: 

an authentication unit which performs authentication in response to a request for 
access permission sent from a terminal on the global network, wherein: 

the database unit further records user information used by the authentication unit 
to perform authentication; 

the access control unit further has: 

means for adding an access control rule established on a per sending device basis 
or a per sending network basis to the database unit if the authentication succeeds; and 

means for deleting the added access control rule from the database unit when a 
predetermined criterion for ending communication is satisfied; and 

the address translation unit further has: 

means for adding an address translation rule established on a per sending device 
basis to the database unit if the authentication succeeds; and 
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means for deleting the added address translation rule from the database unit when 

a predetermined criterion for ending communication is satisfied. 

17. (Original) The address translation apparatus according to Claim 6, 
comprising: 

the address translation rule has a condition with the IP address of the sending device 
or the IP address of the sending network. 

18. (Original) The address translation apparatus according to Claim 17, wherein 
the address translation unit further has: 

means for adding an address translation rule established on a per sending device 
basis to the database unit in response to a request for initiating communication sent from a 
terminal on the global network or a terminal on a private network; and 

means for deleting the added address translation rule from the database unit when 
a predetermined criterion for ending communication is satisfied. 

19. (Original) The firewall apparatus according to Claim 11, comprising: 

the access control rule has a condition with the IP address of the sending device or the 
IP address of the sending network. 

20. (Original) The firewall apparatus according to Claim 19, wherein: 
the access control unit further has means for adding an access control rule 

established on a per sending device basis or on a per sending network basis to the database 
unit if authentication at the authentication unit succeeds and an access control rule for a 
request for access permission from a device on the global network is not recorded in the 
database unit; and 

means for deleting the added access control rule from the database unit when a 
predetermined criterion for ending communication is satisfied. 
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21. (Original) An address translation method for a terminal on a private network 
that does not have an address on a global network to perform communication through the 
global network, comprising: 

recording an address translation rule established on a par sending device basis in a 
database unit beforehand; 

when a packet from the global network is received by a WAN interface unit, 

translating, by an address translation unit, a destination address in accordance with 
the address translation rule; and 

transferring, by a LAN interface unit, the packet having the translated address to 
the private network; 

when a packet from the private network is received by a LAN interface unit, 

translating, by the address translation unit, a source address in accordance with the 
address translation rule; and 

transferring, by the WAN interface unit, the packet having the translated address to 
the global network. 

22. (Original) An address translation method for a terminal on a private network 
that does not have an address on a global network to perform communication through the 
global network, comprising: 

recording an address translation rule established on a per sending device basis in a 
database unit beforehand; 

when a packet from the global network is received by a WAN interface unit, 

performing authentication in an authentication unit and; 

if the authentication succeeds, checking, by the address translation unit, the 
database unit to see whether or not an address translation rule that matches source 
information and destination information of the packet is stored in the database unit, and 
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if a matching address translation rule is found in the database unit, translating the 
address of the packet in accordance with the address translation rule; 

if a matching address translation rule is not found in the database unit, adding an 
address translation rule to the database unit and translating the address of the packet in 
accordance with the added address translation rule; and 

transferring, by a LAN interface unit, the packet having the translated address to 
the private network; 

when a packet from the private network is received by the LAN interface unit; 

checking, by the address translation unit, the database unit to see whether or not an 
address translation rule that matches source information and destination information of the 
packet is recorded in the database unit, and 

if a matching address translation rule is found in the database unit, translating the 
address of the packet in accordance with the address translation rule; 

if a matching address translation rule is not found in the database unit, adding an 
address translation rule to the database unit and translating the address of the packet in 
accordance with the added address translation rule; and 

transferring by the WAN interface unit the packet having the translated address to 
the global network; and 

if there is an address translation rule added by the address translation unit, deleting 
the address translation rule from the database unit when a predetermined criterion for ending 
communication is satisfied. 

23. (Original) The address translation method according to Claim 22, wherein, 
instead of performing authentication in the authentication unit, determination is made that 
authentication is successful when a request is received from an authentication server which 
performs authentication of a terminal on the global network. 
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24. (Original) An access control method for allowing a packet from a global 
network external to a firewall to pass through to a private network internal to the firewall if 
the packet meets an access control rule set in a database unit, comprising: 

recording an access control rule established on per a sending device basis or on a 
per sending network basis in a database unit beforehand; and 

when a connection request from the global network is received by a WAN 
interface unit, checking, by an access control unit, the database unit to see whether or not an 
access control rule that matches the connection request is recorded in the database unit; and 

if the access control rule is found in the database unit, permitting communication. 

25. (Original) An access control method for allowing a packet from a global 
network external to a firewall to pass through to a private network internal to the firewall if 
the packet meets an access control rule set in a database unit, comprising: 

recording an access control rule established on a per sending device basis or on a 
per sending network basis in a database unit beforehand; and 

when a connection request from the global network is received by a WAN 
interface unit, performing authentication in an authentication unit; and 

if the authentication succeeds, checking, by an access control unit, the database 
unit to see whether or not an access control rule that matches the connection request is 
recorded in the database unit; and 

if a matching access control rule is found in the database unit, permitting the 
communication; 

if a matching access control rule is not found in the database unit, adding an access 
control rule established on a sending device basis or on a sending network basis to the 
database unit and permitting the communication; 

when a packet from the private network is received by a LAN interface unit, 
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checking, by the access control unit, the database unit to see whether or not an 
access control rule that matches the connection request is recorded in the database unit; and 

if a matching access control rule is found in the database unit, permitting 
communication; 

if a matching access control rule is not found in the database unit, adding an access 
control rule established on a sending device basis to the database unit and permitting the 
communication; and 

if there is an access control rule added by the access control unit, deleting the 
access control rule from the database unit when a predetermined criterion for ending 
communication is satisfied. 

26. (Original) The access control method according to Claim 25, instead of 
performing authentication in the authentication unit, determination is made that 
authentication is successful when a request is received from an authentication server which 
performs authentication of a terminal on the global network. 

27. (Currently Amended) The access control method according to any of 
Claim[[s]] 24 [[to 26]], wherein: 

the communication status of a established secure session is monitored during the 
secure session; and 

if a predetermined criterion is met, the device on the global network that is using 
the established secure session is notified of occurrence of anomaly. 

28. (Currently Amended) The access control method according to any of 
Claim[[s]] 24 [[to 26]], wherein: 

if a new connection request from a terminal on the global network that has 
established a secure session is received by the WAN interface unit during the duration of the 
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secure session, the information on the connection request is notified to the terminal on the 
global network that has the established secure session; and 

if a denial of the request is returned from the device, rejecting the connection 
regardless of the access control rule recorded in the database unit. 
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